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AMENDMENTS TO THE CLAIMS: 

This listing of claims will replace all prior versions and listings of claims in the 
application: 

1 . (Currently Amended) A method for intrusion detection, comprising: 
receiving at a probe data packets communicated over a first network link; 
converting the received data packets into a format suitable for a second network 

link; 

monitoring, by the probe, the received packets to evaluate network performance; 
collecting, by the probe, current network performance data based on the network 
performance: 

updating, by the probe, historical network performance information with the 
current network performance data: and 

transmitting, by the probe over a second network link, data-converted packets 
and the updated historical network performance information , to an intrusion detection 
system in communication with the second network link , wherein at least one of the data- 
converted packets and the updated historical network performance information is used 
by the intrusion detection system to detect an intrusion on the first network link . 

2. (Original) The method of claim 1 wherein the first network link is a WAN 
link and the second network link is a LAN. 

3. (Original) The method of claim 1 wherein the method further comprises 
receiving, at a probe, data packets communicated over a third network link. 
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4. (Currently Amended) The method of claim 3, further comprising the step 
of aggregating the data packets received over the first network link and the data packets 
received over the third network lin k, wherein the aggregated data packet appears to 
emanate from a single logical source . 

5. (Original) The method of claim 1 wherein the first network link operates 
using at least one HSSI protocol, T1 protocol, E1 protocol, ATM protocol, Packet-Over 
Sonet/SDH protocol, Frame-DS3 protocol, 1G Ethernet protocol, and 10G Ethernet 
protocol. 

6. (Original) The method of claim 1 wherein the first network link comprises 
a protocol that encapsulates data traffic. 

7. (Original) The method of claim 6 wherein the protocol comprises at least 
one of MPLS protocol, GMPLS protocol, VLAN (802.1 q) protocol, HSSI protocol, T1 
protocol, E1 protocol, ATM protocol, Packet-Over Sonet/SDH protocol, Frame-DS3 
protocol, 1G Ethernet protocol, and 10G Ethernet protocol. 

8. (Previously Presented) The method of claim 3, further comprising the step 
of maintaining, by the probe, an audit trail buffer for forensic analysis. 

9. (Original) The method of claim 8 wherein the audit trail buffer comprises a 
memory for recording monitored packets. 
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10. (Original) The method of claim 9, wherein the memory records packets 
from at least one of the first network link and the third network link. 

1 1 . (Original) The method of claim 8, further comprising the steps of: 
receiving, by the probe, an event notification; and 

upon receipt of the event notification, communicating, by the probe, the 
current contents of the audit trail buffer. 

1 2. (Original) The method of claim 1 , wherein the converting step comprises: 
storing received packets in a collection buffer; 

stripping header information associated with a protocol of the first network 

link; and 

adding header information associated with a protocol of the second 

network link. 

13. (Original) The method of claim 12, wherein the step of storing comprises 
storing packets received from at least one of the first network link and a third network 
link. 

14. (Previously Presented) The method of claim 12 wherein: 

the stripping step further comprises stripping checksum information 
associated with the protocol of the first network link; and 

the adding step further comprises adding checksum information 
associated with the protocol of the second network link. 
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15. (Original) The method of claim 13, the step of stripping comprises 
stripping at least one of a Layer 2 MAC header, an Ethernet source address, and an 
Ethernet destination address. 

16-20. (Canceled). 

21 . (Currently Amended) A network performance probe system comprising: 
a first network interface for monitoring packets communicated over a first 

network link; 

a packet converter for converting the monitored data packets into a format 
suitable for a second network link; 

a protocol for collecting current network performance data and updating 
historical network performance information with the current network performance data; 
and 

a second network interface for communicating, over a second network 
link, converted packets and the updated historical network performance information to 
an intrusion detection system in communication with the second network lin k, wherein at 
least one of the data-converted packets and the updated historical network performance 
information is used by the intrusion detection system to detect an intrusion on the first 
network link . 
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22. (Previously Presented) The network performance probe system of claim 
21 further comprising a third network interface for monitoring packets communicated 
over a third network link. 

23. (Currently Amended) The network performance probe system of claim 22 
further comprising an aggregator for aggregating the packets from the first network link 
and the packets from the third network lin k, wherein the aggregated data packet 
appears to emanate from a single logical source . 

24. (Previously Presented) The network performance probe system of claim 
21 wherein the first network link comprises a WAN link and the second network link 
comprises an Ethernet. 

25. (Previously Presented) The network performance probe system of claim 
21 wherein the first network link operates using at least one HSSI protocol, T1 protocol, 
E1 protocol, ATM, Packet-Over Sonet/SDH protocol, Frame-DS3 protocol, and 10G 
Ethernet protocol. 

26. (Previously Presented) The network performance probe system of claim 
21 wherein the first network link comprises a protocol that encapsulates data traffic. 

27. (Previously Presented) The network performance probe system of claim 
26 wherein the protocol comprises at least one of MPLS protocol, GMPLS protocol, 
VLAN (802.1 q) protocol, HSSI protocol, T1 protocol, E1 protocol, ATM protocol, Packet- 
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Over Sonet/SDH protocol, Frame-DS3 protocol, 1G Ethernet protocol, and 10G 

Ethernet protocol. 

28. (Previously Presented) The network performance probe system of claim 

21 , further comprising a performance analyzer for acquiring network performance data 
in response to the monitored packets communicated over the first network link. 

29. (Previously Presented) The network performance probe system of claim 

22, wherein the probe further comprises an audit trail buffer maintainable for forensic 
analysis. 

30-31. (Canceled). 

32. (Previously Presented) The network performance probe system of claim 
29 wherein the audit trail buffer comprises a memory for recording monitored packets 
for forensic analysis. 

33. (Previously Presented) The network performance probe system of claim 
32, wherein the probe further comprises an event notification receiver for causing the 
probe, upon receipt of the event notification, to communicate the current contents of the 
audit trail buffer. 
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34. (Previously Presented) The network performance probe system of claim 

21 , wherein the converter comprises: 

a collection buffer for storing received packets; 

a stripper for stripping header information associated with a protocol of the 
first network link; and 

an adder for adding header information associated with a protocol of the 
second network link. 

35-39. (Canceled). 

40. (Currently Amended) An article of manufacture comprising a program 
storage medium having computer readable program code embodied therein for 
providing intrusion detection, the computer readable program code in the article of 
manufacture including: 

computer readable code for causing a computer to receive at a probe data 
packets communicated over a first network link; 

computer readable code for causing a computer to convert the received 
data packets into a format suitable for a second network link; 

computer readable code for causing a computer to monitor, via the probe, 
the received packets to evaluate network performance; 

computer readable code for causing a computer to collect current network 
performance data based on the network performance; 

computer readable code for causing a computer to update historical 
network performance information with the current network performance data; and 
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computer readable code for causing a computer to transmit, via the probe 
over a second network link, data-converted packets and the updated historical network 
performance information to an intrusion detection system in communication with the 
second network link, so as to prov i d e intrus i on d o toct i on wherein at least one of the 
data-converted packets and the updated historical network performance information is 
used by the intrusion detection system to detect an intrusion on the first network link . 

41 . (Currently Amended) The article of manufacture of claim 40 wherein the 
program storage medium comprises a data signal e mbod ie d i n at least one of a 
computer magnetic disk, a computer optical disk, a tape, a non-volatile memory, a 
system memory, and a computer hard drive. 

42. (Currently Amended) A program storage medium readable by a 
computer, embodying a program of instructions executable by the computer to perform 
method steps for providing intrusion detection, the method steps comprising: 

receiving at a probe data packets communicated over a first network link; 
converting the received data packets into a format suitable for a second 

network link; 

monitoring, by the probe, the received packets to evaluate network 

performance; 

collecting, by the probe, current network performance data based on the 
network performance; 

updating, by the probe, historical network performance information with 
the current network performance data; and 
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transmitting, by the probe over a second network link, data-converted 

packets and the updated historical network performance information to an intrusion 

detection system in communication with the second network lin k, wherein at least one of 

the data-converted packets and the updated historical network performance information 

is used by the intrusion detection system to detect an intrusion on the first network link . 

43. (Currently Amended) The program storage medium of claim 42 further 
comprising a data s i gna l ombod i od in at least one of a computer magnetic disk, a 
computer optical disk, a tape, a non-volatile memory, a system memory, and a 
computer hard drive. 

44. (New) The method of claim 1 , wherein the historical network performance 
information comprises historical traffic profile. 

45. (New) The method of claim 1 , wherein the intrusion detection system uses 
the historical network performance information as a basis for an action. 

46. (New) The network performance probe system of claim 21 , wherein the 
historical network performance information comprises a historical traffic profile. 

47. (New) The network performance probe system of claim 21 , wherein the 
intrusion detection system uses the historical network performance information as a 
basis for an action. 
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